←back to thread

Writing "/etc/hosts" breaks the Substack editor

(scalewithlee.substack.com)
603 points scalewithlee | 1 comments | 25 Apr 25 13:48 UTC | HN request time: 0.001s | source
Show context
Y_Y ◴[25 Apr 25 14:13 UTC] No.43793778[source]
Does it block `/etc//hosts` or `/etc/./hosts`? This is a ridiculous kind of whack-a-mole that's doomed to failure. The people who wrote these should realize that hackers are smarter and more determined than they are and you should only rely on proven security, like not executing untrusted input.
replies(6): >>43793862 #>>43793868 #>>43793954 #>>43794072 #>>43794473 #>>43802345 #
mystifyingpoi ◴[25 Apr 25 14:20 UTC] No.43793862[source]
No one expects any WAF to be a 100% solution that catches all exfiltration attempts ever, and it should not be treated this way. But having it is generally better than not having it.
replies(7): >>43793876 #>>43793969 #>>43794144 #>>43794428 #>>43795337 #>>43796158 #>>43796295 #
paxys ◴[25 Apr 25 14:22 UTC] No.43793876[source]
> But having it is generally better than not having it.

So is HN and every other site in the world insecure because it allows users to post "/etc/hosts" ?

replies(3): >>43793948 #>>43793953 #>>43794001 #
mystifyingpoi ◴[25 Apr 25 14:28 UTC] No.43793948[source]
Maybe? I don't know nor care. Assuming that HN has a vuln with path traversal, a sanely configured WAF would block the traversal attempt.
replies(2): >>43793977 #>>43794135 #
latexr ◴[25 Apr 25 14:45 UTC] No.43794135[source]
I propose someone who doesn’t know or care how a system works shouldn’t be prescribing what to do to make it secure. Otherwise this is like suggesting every gate must have a lock to be secure, even those which aren’t connected to any walls.

https://i.imgur.com/ntYUQB1.jpeg

replies(1): >>43797156 #
MatthiasPortzel ◴[25 Apr 25 18:41 UTC] No.43797156[source]
> someone who doesn’t know or care how a system works shouldn’t be prescribing what to do to make it secure

The part that’s not said outloud is that a lot of “computer security” people aren’t concerned with understanding the system. If they were, they’d be engineers. They’re trying to secure it without understanding it.

replies(1): >>43800393 #
1. saagarjha ◴[26 Apr 25 02:27 UTC] No.43800393{3}[source]
Good computer security people are engineers.